Court Upholds Warrantless Internet Snooping

amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.

Maybe it is the same. But I'm not convinced.

[khasim]

With a "pen register" all they get is the phone number you called.

That would be analogous to the IP address that you connected to (and maybe the port).

The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

Encryption. Learn it. Love it. Live it.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

Until they illegalize it.

Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.

Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :-) OK - snarky Brit comment over. Back to the normally scheduled stuff.

Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

You mean the United Kingdom. Sadly Scotland is also sucked into RIP silliness.

The police and other law enforcement agencies still need a judicially signed warrant to obtain those keys. There's all sorts of stupidities in there - but let me ask a question: Why should you be able to refuse to obey a properly formed court order? If they served a legitimate court order to hand over they keys to your house, should it be legal to flip them the finger? If you think that encryption keys are somehow immune to warranted seizure, you have to say why. Alternatively, if you think that all court seizure orders are wrong, then you probably have to defend that one even more!

I don't have a problem with warranted search and seizure. I have a huge problem with the LEAs thinking that privacy is solely a cover for people to do evil things.

--Ng

Address implies content

[Harmonious+Botch]

From TFA

...the court said, although the government learns what computer sites someone visited, "it does not find out the contents of the messages or the particular pages on the Web sites the person viewed."

The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling. I think that his honor missed something here. He seems to be saying that knowing the address of a web page is like knowing the address on an envelope, and in either case the contents is not being snooped upon. In the case of the letter he would be right, for a letter can contain anything ( I could mail a recipe for braised goat's eyes to Bin Laden ).
But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.

Re:Address implies content

[mi]

But a web address often has a 1-to-1 corespondence with its contents.

Often is the key word here. You ignore it in one of your examples (regular mail), but stress it in the other (web addresses). You would not be mailing to Bin Laden often — not any more often, than you would connect to a jihadist web-site to post "terrorists are swine" on it.

I think, the judge is right...

Re:Address implies content

[dirk]

Well, the first thing is that they can not get the URL, only the web site address. So they can find out you went to Slashdot.org, but not that you went to a specific article. And while there is often a 1-1 correlation between the web address and figuring out the content, the same can be said for phone numbers. If I know you called Planned Parenthood, I know just as much as if I know you went to their web site. All I know is you have some interest in something they do. It does narrow it down a bit, but is far from conclusive, especially since I don't know what exactly you looked at on the page.

I'm not a fan of the pen register rule, but this seems like a completely logical and fair expansion of the rule to cyberspace.

Re:Address implies content

[slashqwerty]

Something to keep in mind. The internet isn't so different from the mail. Simply knowing who someone communicated with provides the government with enough knowledge to track down someone who leaks embarrassing information to the press. From the U.S. Postal Museum in Washington, D.C.

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stories come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Re:Address implies content

[Tim+C]

I think it really depends on the nature of the request. If all that's being read is a static page, then your analogy is good. If on the other hand information is being submitted to the web site (such as this comment), then merely knowing the URL doesn't tell you what was posted at all.

Not that I necessarily support the ruling, mind.

Article is misleading... here's one from wired.

[Anonamused+Cow-herd]

That article is completely misleading. The ruling covers IP addresses only. Here's a better article from Wired. For the lazy, here's the text content:

--
Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fields

The Ninth Circuit Court of Appeals ruled Friday in United States vs. Forester that IP addresses and the To/From fields in emails are the legal equivalent of dialed phone numbers and the government can get a court order to obtain them without showing probable cause as would be needed in a search one's house.

The Court extended to the internet a 1979 case known as Smith vs. Maryland, where the Supreme Court found that individuals have no reasonable expectation of privacy in the phone numbers they dial because they transmitted them to the phone company in order to complete the call. However, under Smith, the contents of the calls could not be listened in on without proving probable cause to a judge.

The Ninth Circuit, ruling in an appeal of an Ecstasy-drug ring conviction found that emails' To/From fields and visited IP addresses were the internet's equivalent of phone numbers. For example, the government could get a log that said a person visited to http://66.230.200.100/ (Wikipedia's address). However, the court suggested that knowing full urls are very close to content (e.g. http://en.wikipedia.org/wiki/Ecstasy) and would likely require a higher burden of proof to obtain than mere IP addresses.

From a footnote in the decision:

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed.

Professor Orin Kerr questions whether the decision is about getting this information from an ISP or whether it was from a device installed on a computer surreptitiously. He suggests the latter should require a higher standard, but I'm not sure why? Perhaps it's because that might require law enforcement to enter a person's house?

Re:More specifically

[BoberFett]

And how exactly do they retrieve just the domain name? I imagine it has to parsed out of the full URL from the HTTP header. And as the courts of ruled before for copyright purposes, they think that having a copy of something in memory is legally the same as having a copy on the hard drive. What's good for the goose is good for the gander, so this should be considered making copies of the entire HTTP header including all URL data and possibly even POST data. That's clearly beyond just having the domain name.

The laws are technologically obsolete

[hey!]

The laws were written with specific technologies in mind.

For example a wiretap is conceptually, if not legally, tied to telephony. In order to be a wiretap, a communication must have an aural component. Thus intercepting an email being sent over WiFi is not a wiretap, but a VoIP intercept is. Likewise intercepting an email with a voice mail attachment (such as might be generated by a voice mail/email gateway on a system like Asterix) might qualify as a wiretap.

There are provisions for controlling the reading of text messages, but the law is written for a system like the old Telex system, in which the messages are ephemeral,but stored in temporary buffers at various stages of delivery. Thus while intercepting an email in a transfer agent queue is questionable, once it is delivered to your email box at the ISP, it becomes fair game. It is no longer in transit, but stored on a server. In the days of Telex, you'd take your message of the teleprinter, read it, and shred it, knowing that it was gone forever, not recoverable from your mail box or from backup tapes.

The third part of the ECPA laws deals with something called a Pen Register: a device that is attached to an old fashioned phone line to capture the in-band signaling of the phone numbers being called. Even though the privacy concerns for email or web proxy logs are identical, these situations are not covered by the Pen Register Act.

The underlying problem is this: although attempts were made in the laws to make them independent of a specific technology, those efforts failed because US law (unlike EU law) does not recognize a fundamental right to private communication. There are packages of specific rights secured by the Bill of Rights, statutes and common law privacy concerns, but these rights are much less than a true right of private communication. The reason is that you can't have a meaningful right to private communication when that communication is mediated by a third party like an ISP or a telephone company, not unless you have a fundamental right to informational privacy.

Without a right to information privacy, anything that falls into the hands of a third party is fair game. This includes information ISPs or telephone companies store in order to route and deliver a message, up to and including the entire content of the message. ECPA, which consists of the Wiretap Act, the Stored Communications Privacy Act and Pen Register Act, closed these loopholes in its time, but as of today those loopholes are wide open again.

This process will repeat itself forever, no matter how many times we close the loophole, until a fundamental right of informational privacy is recognized. We could do that be adopting into law the EU Data Directive. The reason we don't is that this would hurt US companies which are flourishing by exploiting the America's backwater status when it comes to privacy.

Re:And what happened

[PopeRatzo]

And what happened..with the anti-wiretapping laws passed several decades ago?

George Bush and Dick Cheney have used them to wipe their asses.

Here we are, more than 6 years into this calamity called the Bush Administration, and the most sincere and decent Republicans are only now starting to stand up and say "I had no idea". Well, better late than never. The ones I worry about are the dead enders who are so heavily invested in never being wrong that they cannot admit that they let themselves be led gaily into a meatgrinder for the middle-class, clapping and laughing all the way. They bear more than a passing resemblance to the fanatic jihadis, willing to self-detonate in order to keep the 21st century at bay.

I'm convinced that those who are finally coming around and denouncing the Administration will be embraced by an angry but forgiving majority who have taken the brunt but who are willing to let bygones if it means we can move forward, but that "final fourth" that are still stubbornly marching behind the butt-naked Emperors, shriveled dicks swaying in the wind, will pay a heavy karmic price.

This is great news!

[hacker]

Great news comes in strange forms sometimes...

Now we can all begin converting our internal infrastructure to using very strong, protocol-based encryption, end-to-end. Bittorrent for http, secure, anonymous, private networks wrapped around our standard applications and more.

Begin now, if you're not using strong encryption.. you should be. Don't let the government WE put into place, tell you what YOU can do with your own Internet time.

If the government we put into place is not representing your best interests, its time to replace them with one that does.

Lock everything down and keep prying eyes out.

2nd Amendment

[sconeu]

Re: crypto...

GP: Until they illegalize it.

PP: Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :

Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it.